Free Forensics Tool - $I File Parser

Free Forensics Tool – $I File Parser

In nearly all digital forensics cases where a Windows computer is involved, we need to process the recycle bin for deleted files. When a file is deleted through the recycle bin on a computer with the NTFS file system several things will occur. First the NTFS $MFT entry is updated with a new record number for a parent. Basically, that means its parent now becomes the Recycle Bin instead of it's original location. The second thing is that the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension. For example if a file was named “dog.txt” it could become “$R24E32E.txt”. In addition, a paired administrative file is created. This administrative file starts with $I and then has the same six random characters and the original extension. So, the paired administrative file using the example above “$R24E32E.txt” would be “$I24E32E.txt”. These $I files contain a good deal of information, even when the paired $R file is overwritten.

The $I files contain:

The original file's size

The date the file was sent to the recycle bin

The original file's full path

There aren't any good tools that specifically parse only this information out of these file quickly, so this is why we made the Flashback Data $I File Parser. You take all of your $I files for your case (you can use your favorite forensics tool to get these) and put them in a directory. Point the program to it, set an output CSV file and it will parse all of the files into a CSV. The CSV fields outputted are: $I file name, $R file name, Size (in bytes), Date (UTC), Original path, Original File Name and MD5 hash of the $I file.